Percona XtraBackup needs to be able to connect to the database server and perform operations on the server and the datadir when creating a backup, when preparing in some scenarios and when restoring it. In order to do so, there are privileges and permission requirements on its execution that must be fulfilled.

Privileges refers to the operations that a system user is permitted to do in the database server. They are set at the database server and only apply to users in the database server.

Permissions are those which permits a user to perform operations on the system, like reading, writing or executing on a certain directory or start/stop a system service. They are set at a system level and only apply to system users.

Whether xtrabackup or innobackupex is used, there are two actors involved: the user invoking the program - a system user - and the user performing action in the database server - a database user. Note that these are different users in different places, even though they may have the same username.

All the invocations of innobackupex and xtrabackup in this documentation assumes that the system user has the appropriate permissions and you are providing the relevant options for connecting the database server - besides the options for the action to be performed - and the database user has adequate privileges.

Once connected to the server, in order to perform a backup you will need READ, WRITE and EXECUTE permissions at a filesystem level in the server’s datadir.

The database user needs the following privileges on the tables / databases to be backed up:

RELOAD and LOCKTABLES (unless the --no-lock option is specified) in order to FLUSHTABLESWITHREADLOCK and FLUSHENGINELOGS prior to start copying the files, and LOCKTABLESFORBACKUP and LOCKBINLOGFORBACKUP require this privilege when Backup Locks are used,